Adobe® ColdFusion® 10 Server Lockdown Guide

More documents

Recommendations

Info

Setting Default Recommendation Description Maximum number of simultaneous CFC function requests Maximum number of simultaneous Report threads Maximum number of threads available for CFTHREAD Timeout requests waiting in queue after Request Queue Timeout Page 15 1 if not using Remote CFC function requests, otherwise tuned. This setting applies only to CFC functions that have access=remote specified, as they are invoked using /example.cfc?method=MethodName. This applies to methods invoked via the ColdFusion AJAX proxy as well. If your applications do not make use of this feature set to 1. Otherwise use load testing to find the optimal value for this setting. 1 1 Keep this value at 1 unless you are using cfreport heavily. 10 1 if not using cfthread, tuned otherwise. 60 seconds 5 seconds (Match Request Timeout) Blank or /CFIDE/administra tor/templates/requ est_timeout_error. cfm Set this value to 1 if you are not using cfthread. If you do use cfthread setting a value too high can lead to context switching. This setting can generally be set equivalent to the Timeout Requests After value specified in the Settings section. A lower setting here can mitigate the effectiveness of DOS attacks. Specified Specify a HTML file giving the user a message to wait and retry their request again. The message should not disclose the fact that the queue timed out. 64
5.3 Server Settings > Client Variables Setting Default Recommendation Description Default Storage Mechanism for Client Sessions Cookie None / Cookie If applications have client management enabled a large amount of data can accumulate on the server. This can lead to a storage failure if disks become full. Because the registry is typically located on the system partition it is not recommended to use the Registry. 5.4 Server Settings > Memory Variables Setting Default Recommendation Description Use J2EE session variables Enable Session Variables Unchecked Checked if J2EE interoperability required. Checked Unchecked only if not using sessions When checked ColdFusion will use the session management of the underlying JEE container (eg Tomcat) instead of it’s own CFID/CFTOKEN. Most applications require session variables but if none of the applications on the server require them uncheck this box. 65
Page 1 and 2:
Adobe ColdFusion 10 Server Lockdown
Page 3 and 4:
Section 2: Installation Prerequisit
Page 6 and 7:
Next create a new user for the IIS
Page 8 and 9:
In the Advanced Security Settings D
Page 10 and 11:
User / Group Permissions cfusion (Y
Page 12 and 13:
Next Click Add Roles, and select th
Page 14 and 15: Review the list of Role Services an
Page 16 and 17: Under Process Model change the Iden
Page 18 and 19: URI Purpose Safe to Block /CFIDE/ad
Page 20 and 21: CFIDE/ServerManager Contains the AI
Page 22 and 23: Table 2.2.8.1 : CFIDE URIs Addition
Page 24 and 25: Next click on Sites and Add Web Sit
Page 27 and 28: 2.3 Prerequisites for a RedHat Ente
Page 29 and 30: Create a user for ColdFusion to run
Page 31 and 32: SSLRequireSSL The above requires t
Page 34 and 35: Do not install ColdFusion 10 ODBC S
Page 36 and 37: Select an install directory, a non-
Page 39 and 40: Choose a strong password and unique
Page 41 and 42: Section 4 - Post ColdFusion Install
Page 43 and 44: 4.1.3 Specify Log On User for ColdF
Page 45 and 46: When the ColdFusion IIS connector i
Page 47 and 48: 4.1.8 Remove Unused Handler Mapping
Page 49 and 50: without these settings enabled so y
Page 51 and 52: -bin /usr/sbin/httpd \ -script /etc
Page 53 and 54: # cp jvm.config jvm.config.backup T
Page 55 and 56: connectionTimeout="20000" redirectP
Page 57 and 58: Section 5: ColdFusion Administrator
Page 59 and 60: Setting Default Recommendation Desc
Page 63: 5.2 Server Settings > Request Tunin
Page 69 and 70: 5.8 Debugging & Logging > Debug Out
Page 71 and 72: 5.11 Event Gateways > Settings Sett
Page 73 and 74: 5.15 Security > Allowed IP Addresse
Page 75 and 76: Section 6: ColdFusion Server Servic
Page 77 and 78: JWS Files are Java Web Services fil
Page 79 and 80: If you are not using the cfreport y
Page 81 and 82: Note: it is important that you do n
Page 83 and 84: Section 7: Patch Management Procedu
Page 85 and 86: Appendix B: List of Acronyms Acrony
Page 87: Written by Pete Freitag For more in
show all

Adobe® ColdFusion® 10 Server Lockdown Guide

Create successful ePaper yourself

Delete template?

Save as template?